Windows 7 Review, Part 5: Security

With Windows 7, the security pain of the past decade comes to a decisive close. This is the most secure Windows version ever created, one that builds on the solid and proven foundation of Windows Vista while removing some of the heft and monolith intransience of its predecessor. Perfect? No, Microsoft still bows to the industry machinery that prevents it from just protecting Windows users across the board and bundling core anti-malware functionality into the OS. But it's still better than ever, and let's face, there isn't a PC sold today that doesn't come with some form of additional security software. And Microsoft's unfortunately separate (but free) Security Essentials package completes the picture. Let's take a look.

Security for the next decade

Back in late 2001, Microsoft shipped the initial version of Windows XP, and it was almost immediately hacked in a high-profile and embarrassing episode that eventually caused the company to completely halt development of its most important products and retool around a security-first process that came to be known as Trustworthy Computing. The ramifications of this initiative are enormously and provably positive, as most recently evidenced by Windows Vista and Windows Server 2008, the generation of Windows products upon which Windows 7 is based. These systems introduced a highly componentized design that, among other things, helps segregate different parts of the system from each other, making intra-process security flaws more unlikely.

New and improved security features in Windows 7

Windows 7 builds on the security foundation that debuted with its predecessors. And this time around, those security features--so disruptive at the time but now obviously essential--are being enhanced to make them simpler and more manageable. From a security standpoint, everything good from Windows Vista was brought forward, but much of it has been enhanced based on end user requests and real world experience.

Action Center

While Action Center isn't solely a security feature, it does offer a centralized notification system that is largely security-based. It replaces the Security Center that debuted in Windows XP Service Pack 2 (and was later improved for Windows Vista), adding access to Windows 7's various maintenance tools, including the troubleshooting infrastructure and Windows Backup. But aside from the addition non-security functionality, the best thing about Action Center is that it's quiet. Unlike its predecessor, Action Center doesn't throw out a dozen annoying balloon windows every 15 minutes. (There is one exception: For some reason, it feels the need to tell you about the fact that Windows Update will periodically check for updates; clicking that balloon window will cause an unwanted Windows Help window to appear. Thanks for the info, Action Center.)

Action Center.

User Account Control

If there's one feature that defines Windows Vista for a huge percentage of users, it's gotta be User Account Control (UAC). But it still amazes me that this feature caused any outcry, since Mac OS X and Linux have had their own annoying UAC-like pop-ups for years and, more important, perhaps, those UAC pop-ups in Windows Vista get less and less annoying over time. (And are, incidentally, less annoying than they are in, say, Mac OS X. Yes, I know, it's shocking.) But perceptions are what they are. And for many people, UAC was a problem, real or imagined.

Well, bad news, UAC haters. Thanks to this and other security features in Windows Vista, Microsoft was able to cut down on malware infections by a whopping 60 percent when compared to the UAC-less Windows XP with Service Pack 2. So UAC is back in Windows 7.

Microsoft improved UAC in two obvious ways in Windows 7. First, it's not as annoying, by which I mean that fewer actions trigger UAC consent prompts in Windows 7 than was the case in Windows Vista. That required a simple examination of the system, seeing which actions triggered UAC prompts, and then deciding whether they were really dangerous. The innocuous ones were taken off the list.

Secondly, Microsoft has created a very simple UI for managing how UAC works in Windows 7. Now, there is a slider with four possible settings, ranging from "Always notify" (what I think of as "Windows Vista mode") to "Never notify" ("Windows XP mode"). By default, Windows 7's UAC is set to run one notch down from "Windows Vista mode" (called "Notify me only when programs try to make changes to my computer"), and it's a common sense setting that is secure but less annoying.

The new User Account Control management interface.

Those that wish to ratchet up the security can do so. Likewise, those that foolishly believe UAC is nothing but an annoyance can turn it off. And unlike with Vista, where various technical workarounds were required to turn off UAC, you won't get any silly notification-based warnings popping up repeatedly if you do so. You're free to make your own stupid mistakes.

To me, UAC is like the middle brake light on a car: It's just another level of defense, and one that is a bit more likely to catch your eye. You're free to ignore it, to your own detriment. But for those who actually care whether their PCs are infected with malware, UAC has proven to be a wonderful tool. And it's even better now.

Windows Defender

Microsoft debuted its Windows Defender anti-spyware utility as an add-on for Windows XP and it was previously included in Windows Vista. Sadly, this is one example of where Microsoft's simplification jihad in Windows 7 has ended up making the system a bit less useful than its predecessor. In Windows XP and Vista, Windows Defender includes an incredibly valuable (if little-known) utility called Software Explorer that lets you easily prevent applications from auto-running at boot time and adding icons to your notification area. In Windows 7, this capability was removed from Windows Vista because, in Microsoft's words, "it's not integral to spyware detection and removal." Baloney, I say. But I've been told that a planned replacement for Software Explorer was not completed in time for Windows 7. It should appear at a later date.

Beyond this unfortunate omission, Windows Defender has evolved somewhat in Windows 7. It now features a more streamlined UI and provides alerts through the centralized Action Center notification system. Microsoft has also worked to ensure that Windows Defender's real-time monitoring consumes fewer resources and thus impacts PC performance less than before. I've always found this to be a very low-impact anti-spyware solution, so while these changes are welcome, Windows Defender was never particularly annoying before.

Note: A newer generation of the Windows Defender technology is included in Microsoft Security Essentials, as described below. When you install MSE, it replaces Windows Defender.

Parental Controls

As with Windows Defender, the Parental Controls functionality in Windows 7 has been detuned somewhat since its debut in Windows Vista. Now, you can apply controls for time limits, games, and application usage to any standard user account. But activity reporting and web filtering--features of the Windows Vista version of Parental Controls--are gone. This seems like a major limitation, but in truth, Microsoft has simply created a framework that allows third-party security tools makers to add this functionality to Windows 7. And if you're looking for a free solution, look no further than Microsoft's Windows Live Family Safety, part of Windows Live Essentials. Windows Live Family Safety adds web filtering, activity reporting, contact management, and permission request capabilities to the core Windows 7 Parental Controls functionality.

Internet Explorer 8 security features

While Internet Explorer 8 (IE 8) provides a number of interesting functional changes (see my Internet Explorer 8 review), Microsoft's latest browser also works in tandem with the underlying operating system to provide a more secure web experience as well. For example, the browser includes the InPrivate browsing mode, which hides your virtual tracks while online, and improved ActiveX restrictions, though one can help but think that Microsoft should simply be moving towards a more secure method of extending browser functionality. The new SmartScreen Filter (really an improved version of the anti-phishing filter from IE 7) provides protection from malicious web sites that masquerade as legit sites and silently try to deliver malware to your PC.

IE 8 SmartScreen Filter.

Microsoft Security Essentials

Microsoft Security Essentials is one of the best security features in Windows 7, even though it doesn't technically come with Windows 7. And while I've been lobbying Microsoft for years to simply include pervasive antivirus and anti-malware functionality with Windows 7, giving it away for free isn't bad. Microsoft Security Essentials is basically the security parts of the product that used to be called Windows Live OneCare. It's absolutely free, will be widely available via the Microsoft web site by the time Windows 7 ships, and doesn't appear to impact system performance at all. It is what one might call baseline anti-malware functionality, and if you're using any modern Windows version, you need to skip out on the bloated security suites and just pick up this little wonder. It works great, and you'll almost never even notice it's there.

Microsoft Security Essentials.

Final thoughts

While the security improvements in Windows Vista were somewhat revolutionary, this time around we get evolutionary improvements to those features. And that's exactly what Windows users need right now, since Microsoft got it so right in the previous version. From a security standpoint, Windows 7 really is a better Vista. It's more secure, but easier to manage, and with better performance and fewer interruptions.